Authentication method and apparatus for detecting and preventing source address spoofing packets

Abstract

An authentication apparatus for detecting and preventing a source address spoofing packet, includes a packet reception unit configured to receive a packet from a previous node or a user host; a self-assurance type ID generation unit configured to generate a self-assurance type ID of a source node of the received packet; and a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed. Further, the authentication apparatus includes a white list storage unit configured to store a reliable source node; a black list storage unit configured to store an unreliable source node; and a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S)[0001]The present invention claims priority of Korean Patent Application No. 10-2011-0132070, filed on Dec. 9, 2011, which is incorporated herein by reference.FIELD OF THE INVENTION[0002]The present invention relates to detection and prevention of an address spoofing packet; and more particularly, to an authentication method and apparatus for detecting and preventing a source address spoofing packet which are capable of basically defending against a malicious attack such as a distributed denial of service denial (DDoS).BACKGROUND OF THE INVENTION[0003]In general, the Internet based on the current transmission control protocol / Internet protocol (TCP / IP) is very vulnerable to security when a malicious user arbitrarily changes a source and a destination. In particular, a basic cause of a distributed denial of service (DDoS) attack lies in distribution of a packet whose source address is changed.[0004]Thus, various countermeasure methods for dete...

AI Technical Summary

Benefits of technology

[0008]Further, the present invention provides an authentication method and apparatus for detecting and preventing a source address spoofing packet, which are capable of basically detecting whether a source address of a packet is spoofed by a network layer and forwarding only a packet having a normal source address in a router.

[0021]In the system for verifying a source address for detecting and preventing a source address spoofing packet in accordance with the present invention, a network layer fundamentally detects a source address spoofing packet and a router forwards only a packet having a normal source address, thereby fundamentally defending against a malicious attack such as DDoS or the like.

[0022]That is, a source of a packet may be verified by using a self-assurance type ID by which a transmitter may assure a receiver that the transmitter has a proper address without intervention or help of a third party, and a network layer fundamentally detects whether a source address of a packet has been spoofed to allow a router to forward only a packet having a normal source address, thereby fundamentally defending against a malicious attack such as DDoS or the like.

[0023]Further, the system in accordance with the present invention may enhance stability by using a second hash value even when a length of a self-assurance type ID is shorter than a length of a hash function, in generating the self-assurance type ID.

Problems solved by technology

In general, the Internet based on the current transmission control protocol / Internet protocol (TCP / IP) is very vulnerable to security when a malicious user arbitrarily changes a source and a destination.

In particular, a basic cause of a distributed denial of service (DDoS) attack lies in distribution of a packet whose source address is changed.

However, in spite of the various conventional methods for detecting source address spoofing packets, an attack of DDoS by source address spoofing packets is still made.

Images